Security Issues and Fixes: 192.168.1.14 |
Type |
Port |
Issue and Fix |
Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
Informational |
general/tcp |
Nmap found that this host is running FreeBSD 4.6.2-RELEASE - 4.8-RELEASE, FreeBSD 4.7-RELEASE, FreeBSD 4.8-RELEASE through 4.9-STABLE, FreeBSD 4.8-STABLE - 4.9-PRERELEASE
Nessus ID : 10336 |
Informational |
general/tcp |
HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890 |
Informational |
general/tcp |
The remote host is running one of these operating systems :
FreeBSD 4.9
FreeBSD 4.8
FreeBSD 4.7
Nessus ID : 11936 |
Warning |
echo (7/tcp) |
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.
This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.
Solution :
- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061 |
Informational |
echo (7/tcp) |
An echo server is running on this port
Nessus ID : 10330 |
Warning |
echo (7/udp) |
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.
This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.
Solution :
- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061 |
Warning |
discard (9/tcp) |
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.
This service is unused these days, so it is advised that you
disable it.
Solution :
- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367 |
Warning |
daytime (13/tcp) |
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.
The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.
In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.
Solution :
- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052 |
Warning |
daytime (13/udp) |
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.
The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.
In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.
Solution :
- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052 |
Informational |
chargen (19/tcp) |
Chargen is running on this port
Nessus ID : 10330 |
Vulnerability |
ftp (21/tcp) |
It was possible to kill the service by sending a single long
text line.
A cracker may be able to use this flaw to crash your software
or even execute arbitrary code on your system.
Risk factor : High
Nessus ID : 11175 |
Vulnerability |
ftp (21/tcp) |
It was possible to disable the remote FTP server
by connecting to it about 3000 times, with
one connection at a time.
If the remote server is running from within [x]inetd, this
is a feature and the FTP server should automatically be back
in a couple of minutes.
An attacker may use this flaw to prevent this
service from working properly.
Solution : If the remote server is GoodTech ftpd server,
download the newest version from http://www.goodtechsys.com.
BID : 2270
Risk factor : High
CVE : CAN-2001-0188
BID : 2270
Nessus ID : 10690 |
Informational |
ftp (21/tcp) |
An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330 |
Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837 |
Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712 |
Warning |
ssh (22/tcp) |
You are running OpenSSH-portable 3.6.1p1 or older.
If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.
An attacker may use this flaw to set up a brute force attack against
the remote host.
*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive
Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk factor : Low
CVE : CAN-2003-0190
BID : 7342, 7467, 7482
Other references : RHSA:RHSA-2003:222-01
Nessus ID : 11574 |
Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924
Nessus ID : 10267 |
Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 8a:44:5a:fd:bf:8e:44:e6:7b:a2:5e:16:02:09:62:fa
SSHv2 host key fingerprint : f0:65:65:74:ad:ab:52:c6:77:93:ad:10:b8:1e:04:a8
Nessus ID : 10881 |
Informational |
telnet (23/tcp) |
An unknown service is running on this port.
It is usually reserved for Telnet
Nessus ID : 10330 |
Informational |
time (37/tcp) |
A time server seems to be running on this port
Nessus ID : 10330 |
Warning |
finger (79/tcp) |
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...
Here is the output we obtained for 'root' :
Login: root Name: Charlie Root
Directory: /root Shell: /bin/csh
Never logged in.
No Mail.
No Plan.
Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068 |
Informational |
finger (79/tcp) |
A finger server seems to be running on this port
Nessus ID : 10330 |
Warning |
auth (113/tcp) |
The remote host is running an ident (also known as 'auth') daemon.
The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.
Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd
Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021 |
Informational |
auth (113/tcp) |
An identd server is running on this port
Nessus ID : 10330 |
Informational |
uucp (540/tcp) |
An UUCP server seems to be running on this port
Nessus ID : 10330 |
Informational |
kshell (544/tcp) |
The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper
Nessus ID : 10330 |
Vulnerability |
general/icmp |
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.
Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.
See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197 |
Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
Informational |
general/icmp |
Here is the route recorded between 192.168.1.3 and 192.168.1.14 :
192.168.1.14.
Nessus ID : 12264 |
Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.14 :
192.168.1.3
192.168.1.14
Nessus ID : 10287 |